每天一個PHP語法五引用計數與寫時複製的實現

說明

這裡基於php7.2.5進行測試，php7之後內部結構變化應該不是太大，但與php5.X有差別。

引用計數

我們之前說過存放字符串的結構為zend_stirng, 忘了的看著裡zend_stirng

<code>struct _zend_string {
  // 這裡是引用計數
	zend_refcounted_h gc; 
	zend_ulong        h;                /* hash value */
	size_t            len; // 長度
	char              val[1]; // 內容
};/<code>

來看zend_refcounted_h的結構

<code>typedef struct _zend_refcounted_h {
  // 我們只關注這裡 整型的 引用計數 1/2/3...
	uint32_t         refcount;			/* reference counter 32-bit */
	union {
		struct {
			ZEND_ENDIAN_LOHI_3(
				zend_uchar    type,
				zend_uchar    flags,    /* used for strings & objects */
				uint16_t      gc_info)  /* keeps GC root number (or 0) and color */
		} v;
		uint32_t type_info;
	} u;
} zend_refcounted_h;/<code>

引用計數是什麼

因為引用計數存在zend_value的具體類型中的，如zend_string, zend_array等，所以，引用計數是指當前這個zend_value被多少個zval指向。

引用計數如何產生作用

<code>
$a = time()."hello";
echo $a;

$b = $a;

echo $b;/<code>

當賦值$a時，$a指向"hi".time()所在的zend_value, 所以此時引用計數為1

當$b賦值時，$b也指向了"hi".time(), 這時引用計數更新為2

<code>$a = time()."hello";
echo $a;

$b = $a;

echo $b;

unset($b);

echo $a;/<code>

這裡我們通過gdb調試程序可以看到引用計數的變化

<code>gdb /home/php7.2.5/debug/bin/php
// 設置斷點  ZEND_ECHO_SPEC_CV_HANDLER 是echo 的處理程序
(gdb) b ZEND_ECHO_SPEC_CV_HANDLER
Breakpoint 1 at 0x973289: file /root/php-7.2.5/Zend/zend_vm_execute.h, line 33086.
// 運行腳本
(gdb) run hello.php

// 第一個echo斷點
Breakpoint 1, ZEND_ECHO_SPEC_CV_HANDLER () at /root/php-7.2.5/Zend/zend_vm_execute.h:33086
33086		SAVE_OPLINE();
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 libxml2-2.9.1-6.el7_2.3.x86_64 nss-softokn-freebl-3.36.0-5.el7_5.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) n
33087		z = _get_zval_ptr_cv_undef(opline->op1.var EXECUTE_DATA_CC);
(gdb) n
33089		if (Z_TYPE_P(z) == IS_STRING) {
// 打印當前zval， zval.u1.v.type=6說明是字符串
(gdb) p *z
$1 = {value = {lval = 140737318919936, dval = 6.9533474366143666e-310, counted = 0x7ffff5e69f00, str = 0x7ffff5e69f00, arr = 0x7ffff5e69f00, obj = 0x7ffff5e69f00,
    res = 0x7ffff5e69f00, ref = 0x7ffff5e69f00, ast = 0x7ffff5e69f00, zv = 0x7ffff5e69f00, ptr = 0x7ffff5e69f00, ce = 0x7ffff5e69f00, func = 0x7ffff5e69f00, ww = {
      w1 = 4125531904, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0,
    cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
(gdb) p *$1.value.str
// 可以看到 目前的refcount=1
$2 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}
(gdb) p *$2.val@15
$3 = "1587044278hello"
(gdb) n
33090			zend_string *str = Z_STR_P(z);
(gdb) n
33092			if (ZSTR_LEN(str) != 0) {
(gdb) c
Continuing.
1587044278hello
// 到了第二個echo
Breakpoint 1, cli () at /root/php-7.2.5/Zend/zend_vm_execute.h:33086
33086		SAVE_OPLINE();
(gdb) p z
$4 = (zval *) 0x7ffff5e1e090
// 打印當前的zval 
(gdb) p *z
$5 = {value = {lval = 140737318919936, dval = 6.9533474366143666e-310, counted = 0x7ffff5e69f00, str = 0x7ffff5e69f00, arr = 0x7ffff5e69f00, obj = 0x7ffff5e69f00,
    res = 0x7ffff5e69f00, ref = 0x7ffff5e69f00, ast = 0x7ffff5e69f00, zv = 0x7ffff5e69f00, ptr = 0x7ffff5e69f00, ce = 0x7ffff5e69f00, func = 0x7ffff5e69f00, ww = {
      w1 = 4125531904, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0,
    cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
(gdb) p *$5.value.str
// 可以看到refount增加為2
$6 = {gc = {refcount = 2, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}
/<code>

可以看到當給$a賦值時，值的引用計數為1，當$a賦值給$b，引用計數再次加1變為2.

<code>// unset 操作的處理
Breakpoint 2, ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER () at /root/php-7.2.5/Zend/zend_vm_execute.h:40511
40511		zval *var = EX_VAR(opline->op1.var);
(gdb) n
40513		if (Z_REFCOUNTED_P(var)) {
(gdb) n
40514			zend_refcounted *garbage = Z_COUNTED_P(var);
(gdb) n
40516			ZVAL_UNDEF(var);
(gdb) n
40517			SAVE_OPLINE();
(gdb) n
// --GC_REFCOUNT 引用計數減一
40518			if (!--GC_REFCOUNT(garbage)) {
(gdb) n
40521				gc_check_possible_root(garbage);
(gdb) n
40523			ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
(gdb) n
40528	}
(gdb) p *var
$5 = {value = {lval = 140737318919936, dval = 6.9533474366143666e-310, counted = 0x7ffff5e69f00, str = 0x7ffff5e69f00, arr = 0x7ffff5e69f00, obj = 0x7ffff5e69f00,
    res = 0x7ffff5e69f00, ref = 0x7ffff5e69f00, ast = 0x7ffff5e69f00, zv = 0x7ffff5e69f00, ptr = 0x7ffff5e69f00, ce = 0x7ffff5e69f00, func = 0x7ffff5e69f00, ww = {
      w1 = 4125531904, w2 = 32767}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 0,
    cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
(gdb) p *$5.value.str
// 再次打印value的refcount變為1
$6 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}
(gdb)/<code>

也就是在執行unset($b)之後引用計數減一

寫時複製

意思就是變量發生變化時再複製一份。

如上所示$b=$a時，並沒有把$a複製一份給$b,而是$b、$a指向同一個zend_value, 並更新zend_value的refcount，這樣是節省內存的。

那如果接著操作$b重新賦值會發生什麼呢

<code>$a = time()."hello";
echo $a;

$b = $a;


$b = "hi".time();

echo $b;/<code>

看調試結果

<code>(gdb) p *z
$1 = {value = {lval = 140737318919856, dval = 6.9533474366104141e-310, counted = 0x7ffff5e69eb0, str = 0x7ffff5e69eb0, arr = 0x7ffff5e69eb0, obj = 0x7ffff5e69eb0,
    res = 0x7ffff5e69eb0, ref = 0x7ffff5e69eb0, ast = 0x7ffff5e69eb0, zv = 0x7ffff5e69eb0, ptr = 0x7ffff5e69eb0, ce = 0x7ffff5e69eb0, func = 0x7ffff5e69eb0, ww = {
      w1 = 4125531824, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0,
    cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
(gdb) p z
$2 = (zval *) 0x7ffff5e1e080
(gdb) p *$1.value.str
// $a = time()."hello" 之後 refcount=1
$3 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}
(gdb) p *$3.val@15
$4 = "1587215850hello"
......
(gdb) c
Continuing.
1587215850hello
// $b = $a 操作
Breakpoint 2, ZEND_ASSIGN_SPEC_CV_CV_RETVAL_UNUSED_HANDLER () at /root/php-7.2.5/Zend/zend_vm_execute.h:43779
43779		SAVE_OPLINE();
(gdb) n
43780		value = _get_zval_ptr_cv_BP_VAR_R(opline->op2.var EXECUTE_DATA_CC);
(gdb) n
43781		variable_ptr = _get_zval_ptr_cv_undef_BP_VAR_W(opline->op1.var EXECUTE_DATA_CC);
(gdb) n
43789			value = zend_assign_to_variable(variable_ptr, value, IS_CV);
(gdb) n
43797		ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
(gdb) n
43798	}
(gdb) p *value
$5 = {value = {lval = 140737318919856, dval = 6.9533474366104141e-310, counted = 0x7ffff5e69eb0, str = 0x7ffff5e69eb0, arr = 0x7ffff5e69eb0, obj = 0x7ffff5e69eb0,
    res = 0x7ffff5e69eb0, ref = 0x7ffff5e69eb0, ast = 0x7ffff5e69eb0, zv = 0x7ffff5e69eb0, ptr = 0x7ffff5e69eb0, ce = 0x7ffff5e69eb0, func = 0x7ffff5e69eb0, ww = {
      w1 = 4125531824, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0,
    cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
(gdb) p *$5.value.str
// $b = $a之後 refcount=2
$6 = {gc = {refcount = 2, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}

....

// $b = "hi".time()
Breakpoint 1, ZEND_ECHO_SPEC_CV_HANDLER () at /root/php-7.2.5/Zend/zend_vm_execute.h:33086
33086		SAVE_OPLINE();
(gdb) n
33087		z = _get_zval_ptr_cv_undef(opline->op1.var EXECUTE_DATA_CC);
(gdb) n
33089		if (Z_TYPE_P(z) == IS_STRING) {
(gdb) p *z
  // 注意str的地址 跟$a不是一個了
$7 = {value = {lval = 140737318919936, dval = 6.9533474366143666e-310, counted = 0x7ffff5e69f00, str = 0x7ffff5e69f00, arr = 0x7ffff5e69f00, obj = 0x7ffff5e69f00,
    res = 0x7ffff5e69f00, ref = 0x7ffff5e69f00, ast = 0x7ffff5e69f00, zv = 0x7ffff5e69f00, ptr = 0x7ffff5e69f00, ce = 0x7ffff5e69f00, func = 0x7ffff5e69f00, ww = {
      w1 = 4125531904, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0,
    cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
(gdb) p *$7.value.str
// 新值的refcount=1
$8 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 12, val = "h"}
(gdb) p *$8.val@12
$12 = "hi1587216014"

// 再來看 原值的refcount 變為了1
(gdb) p *$1.value.str
$11 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}/<code>

總結

引用計數與寫時複製是PHP自動垃圾回收的基礎。

通過對zval的引用計數的變化監測判斷是否可以回收變量，而寫時複製則會節省變量所佔內存。

注意事項：

gdb調試時，PHP必須要打開debug模式，在編譯的時候加上--enable-debug即可

參考資料：

《PHP7內核剖析》